In this new wave of technology, you can't do it all yourself, you have to form alliances. In describing today's accelerating changes, the media fire blips of unrelated information at us. Experts bury us under mountains of narrowly specialized monographs. Popular forecasters present lists of unrelated trends, without any model to show us their interconnections or the forces likely to reverse them. As a result, change itself comes to be seen as anarchic, even lunatic.

Wednesday, April 22, 2009

Valid Range: 0, 1 (false, true) Default: 0 (false) Description: The routing service uses this value to control whether or not IP multicasts are forwarded. This value is created by the Routing and Remote Access service.

Description: IP source routing is a mechanism that allows the sender to determine the IP route that a packet should take through the network. The Ping and Tracert tools have command-line options to specify source routing

Many of the TCP/IP registry values supported in Windows XP and Windows Server 2003 are not supported by TCP/IP in Windows Vista and Windows Server 2008. You can configure additional TCP/IP settings with command-line parameters for the following Netsh commands at a Windows command prompt with administrator-level permissions:

Thursday, April 16, 2009

- The 128-bit address space for IPv6 provides ample room to provide every device on the present and foreseeable future Internet with a globally reachable address.

Efficient routing

- With a streamlined IPv6 header and addressing that supports hierarchical routing infrastructures, IPv6 routers on the Internet can forward IPv6 traffic faster than their IPv4 counterparts.

Ease of configuration

- IPv6 hosts can configure themselves by either interacting with a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server or by interacting with their local router and using stateless address autoconfiguration.

Enhanced security

- The IPv6 standards solve some of the security issues of IPv4 by providing better protection against address and port scanning attacks and by requiring that all IPv6 implementations support Internet Protocol security (IPSec) for cryptographic protection of IPv6 traffic.

The implementation of IPv6 in Windows XP and Windows Server 2003 is a dual stack architecture. For IPv6 support, you have to install a separate protocol through the Network Connections folder. The separate IPv6 protocol stack had its own Transport layer that included Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and its own Framing layer. Changes to protocols in either the Transport or Framing layers had to be done to two Windows drivers; Tcpip.sys for the IPv4 protocol stack and Tcpip6.sys for the IPv6 protocol stack.

The Next Generation TCP/IP stack supports the dual IP layer architecture in which the IPv4 and IPv6 implementations share common Transport and Framing layers. The Next Generation TCP/IP stack has both IPv4 and IPv6 enabled by default. There is no need to install a separate component to obtain IPv6 support.

CHAP is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake. This happens at the time of establishing the initial link, and may happen again at any time afterwards. The verification is based on a shared secret (such as the client user's password).

After the completion of the link establishment phase, the authenticator sends a "challenge" message to the peer.The peer responds with a value calculated using a one-way hash function, such as an MD5 checksum hash.The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection.At random intervals the authenticator sends a new challenge to the peer and repeats steps 1 through 3.CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.

Microsoft has implemented a variant of the Challenge-handshake authentication protocol, called MS-CHAP, which does not require either peer to know the plaintext.

MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with Windows 2000 and was added to Windows 98 in the "Windows 98 Dial-Up Networking Security Upgrade Release" and Windows 95 in the "Dial Up Networking 1.3 Performance & Security Update for MS Windows 95" upgrade. Windows Vista drops support for MS-CHAPv1.

Compared with CHAP, MS-CHAP:

is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocolprovides an authenticator-controlled password change mechanismprovides an authenticator-controlled authentication retry mechanismdefines failure codes returned in the Failure packet message fieldMS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.

Shiva Password Authentication Protocol (SPAP) is a reversible encryption mechanism employed by Shiva. A computer running Windows XP Professional, when connecting to a Shiva LAN Rover, uses SPAP, as does a Shiva client that connects to a server running Routing and Remote Access. This form of authentication is more secure than plaintext but less secure than Challenge Handshake Authentication Protocol (CHAP) or Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

To enable SPAP-based authentication, you must do the following:

Enable SPAP as an authentication protocol on the RADIUS client. SPAP is disabled by default.

Enable SPAP on the appropriate network policy. SPAP is disabled by default.

Wednesday, April 8, 2009

What is ECN?Explicit Congestion Notification (ECN) is an extension to the Internet Protocol and is defined in RFC 3168 (2001). ECN allows end-to-end notification of network congestion without dropping packets.The Addition of Explicit Congestion Notification (ECN) to IP, states that with the addition of active queue management (for example, WRED) to the Internet infrastructure, routers are no longer limited to packet loss as an indication of congestion. ECN and Windows Operating SystemsECN has now been added to the TCP/IP stack in the following Windows Operating Systems:

Windows Vista

Windows 7

Windows Server 2008

How do we enable ECN is Windows Operating System?

Open a command prompt as an adminstrator

Type "netsh int tcp show global"this will show your current TCP/IP state

Search This Blog

About Me

Information Security Management Professional with a functional experience of 12+ years into IT Security & Compliance.
Governance of IT Security Projects (Large Geographically Dispersed Enterprise Environments) in real time by collaboratively management through all stages right from Concept to Completion.
Specialties:
• Data Loss Prevention - Solution Design, end-to-end Service Design, Policy Design, Implementation & Technical Architecture Design
• Information Security Management that includes Network, Mail, Host based Security and Compliance Management.
• Conversion of Business Requirements into IT General Controls (ITGCs)
• Delivery Management for Security Operations
• End to End Project and Program management for IT Security and Networks
• CPI (Continuous Process Improvement) and BPI (Business process improvement)
• Auditing and Implementation of Compliance Standards like SOX, FISMA, HIPAA, BS7799, PRINCE2 and ISO-27001.

Disclaimer

Content on this blog are subject to my personal views and opinion which does not include or reflect any opinion of my current employer or past empolyers or any other forums or community I belong to.The information provided here is "AS IS" with no warranties, and confers no rights. This blog does not represent the thoughts, intentions, plans or strategies of my current employer or past empolyers or any other forums or community I belong to. It is fully my own opinion. Inappropriate comments will be deleted at the authors discretion. I have full rights to edit/modify/delete any content of this blog without any prior notice to public/followers/RSS readers of this blog.